A new project from the cybersecurity firm Bugcrowd and a University of California researcher aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization’s networks or software.
The project, called Disclose.io, offers companies, academic institutions or even government agencies a standard legal agreement they can post that says, in effect, it’s okay to hack us if you do it in good faith. It’s a way to tell security researchers — sometimes called white hat hackers — that they won’t get sued or face criminal charges if they find a flaw on an organization’s systems and report it responsibly.
The effort highlights how federal anti-hacking laws aren’t keeping pace with the way security vulnerabilities are often identified and patched. Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don’t contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking. Disclose.io could help close that gap.
“It should be built into those policies, but we’re not there yet. And this is a stopgap for people to take advantage of until we’re there,” said Jason Haddix, Bugcrowd’s vice president of trust and security.
The problem is real and well known. In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities — sometimes to prevent an embarrassing flaw from being disclosed publicly. In one extreme example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state’s election website.
And it’s not just the law that hasn’t caught up. Private companies and other organizations have widely inconsistent approaches for handling these disclosures. Some have no policies in place for protecting security researchers. And even those that do tend to use convoluted or murky legal language, Haddix said. That makes it difficult for white hat hackers to draw the line between what an organization sees as permissible and what could get them in trouble.
“A lot of times the legal language can get like spaghetti,” Haddix told me. “It’s hard to unwrap if you're not a lawyer.” In turn, he said, researchers are reluctant to report potentially serious security flaws because they fear the repercussions.
Disclose.io seeks to simplify things. It offers a template with boilerplate language that spells out in plain terms what security researchers can and can’t do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced, meaning anyone is free to use it or modify it. The target audience is “everyone on the Internet,” Haddix said — from major tech companies to mom-and-pop shops.
It's a sign that the private sector is taking the lead on this issue, rather than waiting for the government to take action, Ars Technica’s Sean Gallagher wrote in a post on Disclose.io: “Given how regulated information security practices have become in some industries — and how badly legislation regarding any sort of hacking has been handled over the past few years — using ‘open source,’ battle-tested boilerplate contracts to speed adoption of disclosure and bug bounty programs might be a lot easier and a lot less expensive than anything mandated by new government regulation.”
Disclose.io grew out of work by Amit Elazari, a doctoral candidate at the University of California at Berkeley School of Law, who has advocated for standardizing disclosure and bug bounty programs, which offer financial rewards for reporting flaws. Some early incarnations of the project have been promising. Mozilla executives recently credited Elazari for motivating them to add new safeguards to their bug bounty program. “The legal protections afforded to bounty program participants have failed to evolve,” they wrote, “putting security researchers at risk and possibly stifling that research.”
Other companies have rolled out programs like the one Disclose.io proposes.
Dropbox, for example, revised its disclosure terms earlier this year to better protect white hat hackers after a security firm sued a reporter for writing about an apparent bug in its software. “Anything that stifles open security research is problematic,” Dropbox's head of security wrote in a blog post, “because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “Top national security officials made a rare appearance in the White House briefing room Thursday to warn that Russia continues to target the U.S. election system and vow that the Trump administration has made combating interference a priority ahead of the midterms in November,” The Washington Post's Shane Harris and Felicia Sonmez reported. “Although the officials, including Director of National Intelligence Daniel Coats and national security adviser John Bolton, did not offer new details about any attacks or announce new policies, their show of unity just steps from the Oval Office appeared aimed at easing public concerns about President Trump’s public skepticism of Russia’s intentions.”
In addition to Coats and Bolton, FBI Director Christopher A. Wray, Homeland Security Secretary Kirstjen Nielsen and National Security Agency Director Paul Nakasone also briefed reporters on election security. “In regards to Russian involvement in the midterm elections, we continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States,” Coats said, as quoted by my colleagues. Wray said the FBI has got “open investigations with a foreign influence nexus” across the country. “Make no mistake, the scope of this foreign influence threat is both broad and deep,” he said.
“Nakasone, who is also the newly installed commander of U.S. Cyber Command, which has the authority to attack and disable foreign computer networks, was asked what orders he had been given to counteract Russian interference,” Harris and Sonmez wrote. “Nakasone did not answer that question directly. 'We’re not going to accept meddling in the elections,' he said.”
PATCHED: “A bipartisan group of senators has unveiled a comprehensive package of Russia sanctions and measures to counter cybercrime, the latest attempt to push congressional leaders to intensify punitive measures against would-be election hackers ahead of November,” my colleague Karoun Demirjian reported on Thursday.
The proposed legislation includes several cybersecurity measures, such as the creation of an Office of Cyberspace and the Digital Economy at the State Department, according to a statement from Sen. Lindsey O. Graham's (R-S.C.), one of the measure's sponsors. Another provision would punish Russians who have “the capacity or ability to support or facilitate malicious cyber activities.”
Additionally, the package contains two bills that Graham introduced this week alongside Sens. Sheldon Whitehouse (D-R.I.) and Richard Blumenthal (D-Conn.). Under the International Cybercrime Prevention Act, prosecutors would have the ability to take down botnets while the second bill ... would make hacking voting systems used in federal elections a federal crime.
“The current sanctions regime has failed to deter Russia from meddling in the upcoming 2018 midterm elections,” Graham said in a statement. “Our goal is to change the status quo and impose crushing sanctions and other measures against Putin’s Russia until he ceases and desists meddling in the US electoral process, halts cyber-attacks on US infrastructure, removes Russia from Ukraine, and ceases efforts to create chaos in Syria.”
PWNED: A Russian woman who worked for the U.S. Secret Service at the U.S. Embassy in Moscow turned out to be a suspected spy with access to the Secret Service's intranet and email, The Guardian's Nick Hopkins reported Thursday. “The woman had been working for the Secret Service for years before she came under suspicion in 2016 during a routine security sweep conducted by two investigators from the US Department of State’s Regional Security Office (RSO),” Hopkins wrote. “They established she was having regular and unauthorised meetings with members of the FSB, Russia’s principal security agency.”
The suspected spy, who worked at the embassy for over a decade, was let go last summer. A source told The Guardian that the woman could access sensitive information. “‘She had access to the most damaging database, which is the US Secret Service official mail system,’ the source said,” Hopkins wrote. “‘Part of her access was schedules of the president — current and past, vice-president and their spouses, including Hillary Clinton.’” In a statement, the Secret Service did not deny that the woman, who was part of a category of employees called Foreign Service Nationals, had been suspected of spying, according to the Guardian. “At no time, in any US Secret Service office, have FSNs been provided or placed in a position to obtain national security information,” the agency said in the statement.
— More cybersecurity news:
— Several reporters and analysts pointed out the contrast between the warnings that top U.S. officials issued about Russian efforts to interfere in the elections and Trump's statements on the matter:
From The Post's Philip Rucker:
As FBI, DNI, DHS & Pentagon announce that Russia is attempting to interfere in US midterm elections, as long warned, recall 2.5 weeks ago Trump stood next to Putin, refused to confront him and called his denial of 2016 interference strong and powerful.— Philip Rucker (@PhilipRucker) August 2, 2018
From CNN's Kaitlan Collins:
A candid, unequivocal warning from the nation's security chiefs at the White House lectern today — making crystal clear that yes, Russia is still trying to influence our elections. The obvious backdrop making things awkward? A president who hasn’t been nearly as blunt.— Kaitlan Collins (@kaitlancollins) August 2, 2018
From The Hill's Jordan Fabian:
Again, remarkable to witness the gulf between the president and his own team on the topic of Russian election interference https://t.co/K11tlXPmjw— Jordan Fabian (@Jordanfabian) August 2, 2018
From the Wall Street Journal's Dustin Volz:
The extreme disconnect between intelligence community leadership and the White House on Russia interference, aired on live television in record-breaking time https://t.co/8F4mY3DdLf— Dustin Volz (@dnvolz) August 2, 2018
From Clint Watts, a former FBI agent and senior fellow at George Washington University's Center for Cyber and Homeland Security:
FBI Director Wray demonstrates today that US institutions, with regards to Russia election interference, have moved around the White House to fulfill their obligations to the American people. President Trump has weakened defenses against foreign interference via neglect.— Clint Watts (@selectedwisdom) August 2, 2018
— “With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media,” the Associated Press’s Steve Peoples and Christina A. Cassidy report.
Raffi Krikorian, the Democratic National Committee’s chief technology officer, told the AP that small campaigns may struggle to find support in defending themselves from cyberthreats as the DNC’s resources are limited. “For all the high-level campaigns I’m worried, but at least there are people to talk to,” Krikorian said. “The mid-sized campaigns are at least getting technical volunteers, but the truly down-ballot campaigns, that’s where the state parties and coordinated campaigns can help, but there’s no doubt that this is an uphill battle when we’re dealing with a foreign adversary.”
— Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) have questions about the NSA’s announcement in late June that the agency had started deleting all call records since 2015 it obtained from telecom service providers under the Foreign Intelligence Surveillance Act.
The NSA said in a June statement that because of “technical irregularities,” the agency received some call records it was not authorized to obtain. In a letter released yesterday, Wyden and Paul asked Robert Storch, the NSA’s inspector general, to investigate how the agency came to delete those records. “Vital questions remain about how the NSA collects sensitive information, as well as how the agency has addressed its latest admitted violations of the law and Americans’ privacy,” Paul said in a statement. “Our letter seeks answers to help ensure innocent Americans' rights are being respected.”
— More cybersecurity news from the public sector:
— “Organizers behind the newly revealed batch of fake Facebook accounts often sought to work alongside legitimate groups organizing rallies and protests in the U.S., marking a new strategy in efforts to sow discord through social media ahead of the midterm elections,” the Wall Street Journal reports. “Collaborating with grass-roots organizations on existing events goes beyond the tactics employed by the Internet Research Agency, according to Graham Brookie, director of the Atlantic Council’s Digital Forensic Research Lab, which analyzes misinformation online and works with Facebook. The Kremlin-backed IRA group created hundreds of fake accounts and pages on social media during and after the 2016 U.S. election.”
— More cybersecurity news from the private sector:
— A hacker group with ties to Pakistan launched cyberattacks against government agencies in the United States, Britain, Spain and Russia, according to a report released Thursday by Palo Alto Networks’s Unit 42 threat research team.
The researchers said they noticed the attacks in February from the hackers, who they refer to as the “Gorgon Group.” The following month, they discovered that U.S., Russian and Spanish government agencies that operate in Pakistan were the targets of cyberattacks. “As we continued to investigate, it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan,” the researchers wrote.
Aside from targeting government organizations, the hackers also engaged in cybercrime across the world. Gorgon Group was effective but its attacks “lacked overall sophistication,” according to the report.
— More cybersecurity news from abroad:
- Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
- DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.
What you need to know about Paul Manafort and the Foreign Agents Registration Act:
Ride in Elon Musk's Tesla Model 3, a giant phone on wheels:
Late-night hosts on Paul Manafort’s ostrich jacket: